]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/wireguard/wg-extra.nix
mermet: acme: reenable dnsPropagationCheck, gandi.net fixed the issue
[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-extra.nix
1 { inputs, hostName, ... }:
2 let
3 wgIface = "wg-extra";
4 listenPort = 16843;
5 in
6 {
7 networking.nftables.ruleset = ''
8 table inet filter {
9 chain input-net {
10 udp dport ${toString listenPort} counter accept comment "${wgIface}"
11 }
12 chain input-extra {
13 counter accept
14 }
15 chain input {
16 iifname ${wgIface} jump input-extra
17 iifname ${wgIface} log level warn prefix "input-extra: " counter drop
18 }
19 chain output-net {
20 }
21 chain output-extra {
22 counter accept
23 }
24 chain output {
25 oifname ${wgIface} jump output-extra
26 oifname ${wgIface} log level warn prefix "output-extra: " counter drop
27 }
28 chain forward {
29 # forward
30 iifname ${wgIface} counter accept
31 }
32 }
33 '';
34 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
35 systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted =
36 [ "privateKey:${inputs.self}/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred" ];
37 networking.wireguard.interfaces.${wgIface} = {
38 # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
39 privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
40 ips = [ "192.168.43.1/32" ];
41 inherit listenPort;
42 socketNamespace = null;
43 /*
44 interfaceNamespace = "extra";
45 preSetup = ''
46 ${pkgs.iproute}/bin/ip netns add extra
47 '';
48 */
49 peers = [
50 {
51 # julm-laptop
52 publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
53 allowedIPs = [ "192.168.43.2/32" ];
54 }
55 {
56 # julm-mobile
57 publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
58 allowedIPs = [ "192.168.43.3/32" ];
59 }
60 ];
61 };
62 }